PM72186: NETSTAT ALL SENDSTALLED INDICATOR IS YES WHEN TCP CONNECTION IS RUNNING NORMALLY

Obtain the fix for this APAR.

APAR status

• Closed as program error.

Error description

• The NetStat ALL SendStalled Yes indicator is normally used to
  indicate that an attack has been detected, negatively
  impacting performance.   However, in this case, despite the fact
  that there was no attack, and the TCPIP connection was
  performing normally, the Netstat ALL display still showed
  SendStalled Yes. In addition, NETSTAT STATS showed
  CurrentStalled Connections         = 1
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED: All users of the IBM Communications Server   *
  *                 for z/OS Version 1 Release(s) 13 IP          *
  ****************************************************************
  * PROBLEM DESCRIPTION: Display NETSTAT shows SENDSTALLED=YES   *
  *                      for a single TCP connection even though *
  *                      the connection was normally operating.  *
  *                                                              *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  During Global TCP attack processing, a consideration was not
  taken into an account to check for window scaling.
  If a window scaling is in place, a small window size TCP
  header does not mean that the connection is exposed to an
  attack.
  A TCP header window size smaller than the MTU of
  the connection was considered as an attack which is not
  the case if window scaling is in place.
  Also, there was no indication of an attack. TCP communication
  for the connection was normal.
  +-------------------------------------------------------------+
  + Please check our Communications Server for OS/390 homepages +
  + for common networking tips and fixes.  The URL for these    +
  + homepages can be found in Informational APAR II11334.       +
  +-------------------------------------------------------------+
  

Problem conclusion

• EZBTCRD has been amended to consider window scaling when
  processing global TCP attack conditions.
  
  * Cross Reference between External and Internal Names
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

  UK82632

Modules/Macros

•    EZBTCRD
  

Fix information

• Fixed component name

  TCP/IP V3 MVS

• Fixed component ID

  5655HAL00

Applicable component levels

• R1D0 PSY UK82632

     UP12/11/28 P F211

Fix is available

• Select the PTF appropriate for your component level. You will be required to sign in. Distribution on physical media is not available in all countries.